floxif | 4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
Size

124KB
MD5

06ceb19dea361d4012aa159f6374436c
SHA1

3e35ad7f8af396838bb3612b4f2dda01565c4cad
SHA256

4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc
SHA512

4f48555d9c55a34ff97779bf9602f6b655e5799eb22234e99921b2d2043defcd8c6f9ea1bfe9e541fecd5908ae7961a3eed31c7a7c19dfa4f3a766d0798e447b
SSDEEP

1536:gdd/uHw79MOQ3Ss7TN2s+zheW6BVrqzCJ3bdDY+W14N4NmzWlIA7hKRQw:yugQ33l2lQBV+UdE+rECWp7hKP

Score

10^/10

floxif backdoor discovery evasion persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ppsap.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ppsap.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b8d-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b8d-1.dat	acprotect

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\????.lnk	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\????.lnk	ppsap.exe

Executes dropped EXE 64 IoCs

pid	Process
3960	ppsap.exe
4588	ppsap.exe
4780	ppsap.exe
1876	ppsap.exe
4916	ppsap.exe
2252	ppsap.exe
208	ppsap.exe
4752	ppsap.exe
2856	ppsap.exe
8	ppsap.exe
3064	ppsap.exe
3624	ppsap.exe
1908	ppsap.exe
2896	ppsap.exe
2948	ppsap.exe
1264	ppsap.exe
5040	ppsap.exe
4784	ppsap.exe
948	ppsap.exe
3692	ppsap.exe
1464	ppsap.exe
4748	ppsap.exe
3928	ppsap.exe
1772	ppsap.exe
964	ppsap.exe
716	ppsap.exe
2656	ppsap.exe
1668	ppsap.exe
2620	ppsap.exe
4136	ppsap.exe
3652	ppsap.exe
1124	ppsap.exe
3440	ppsap.exe
3660	ppsap.exe
1664	ppsap.exe
3200	ppsap.exe
3788	ppsap.exe
1800	ppsap.exe
4336	ppsap.exe
2948	ppsap.exe
3472	ppsap.exe
4060	ppsap.exe
5084	ppsap.exe
3908	ppsap.exe
2848	ppsap.exe
5020	ppsap.exe
4296	ppsap.exe
4260	ppsap.exe
4472	ppsap.exe
4808	ppsap.exe
3992	ppsap.exe
4152	ppsap.exe
1016	ppsap.exe
2380	ppsap.exe
2720	ppsap.exe
4580	ppsap.exe
5008	ppsap.exe
3972	ppsap.exe
5064	ppsap.exe
3524	ppsap.exe
4732	ppsap.exe
1308	ppsap.exe
744	ppsap.exe
1748	ppsap.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PPS Accelerator = "C:\\Windows\\system32\\ppsap.exe"	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PPS Accelerator = "C:\\Windows\\system32\\ppsap.exe"	ppsap.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ppsap.exe	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
File opened for modification	C:\Windows\SysWOW64\ppsap.exe	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b8d-1.dat	upx
behavioral2/memory/2752-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2752-20-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppsap.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152296"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60186bd4a858db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3415980073"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152296"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152296"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3417386494"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3417386494"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed336312400000000020000000000106600000001000020000000f2f1f03e37957a7257e81c9f44d3f896ba9116afa78c635c3ad0f5a3deb1c7dc000000000e80000000020000200000000ed130a432a86a6d9f18a1b9dd048ae4ad2aba5cedc39bfdccaaaf2bd449c44e2000000079ad62a09719d911a09fc78fe934b0a2999ba2f6f7a918ac62f2dbee90dfa44c40000000c5a4f35b4cb6b97c26d70cecaaeb338efb07ac1cba812c5bcd64843a03e721725174f2bac6760e2352a92f9f2962bd7c2d8e40607f0a9385bbb095511000b7a9	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F71F1A37-C49B-11EF-B9B6-CEB9D96D8528} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3415980073"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152296"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504472d4a858db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442100936"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed3363124000000000200000000001066000000010000200000001320dbbefc78da543278f009bad2f3dee87cdff7892881f10f0db8ef7a61ede5000000000e8000000002000020000000f5d46dad81ac1ce9fe0d908350838d53c04fbd9201f8013a16705fd9ceb68a922000000006a1659cc5280ab2578dc9964d5dc50941aabe2f27693f5c40b221d24b1a84e2400000009dfeecd38e4eaa20462736b132943f37c6e375458807f23feaf7f416c4c367a613a90a66c1d37d8699e62b158d74103b0251fa39f69ba3ff03aa8d8d5b04efce	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3548	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2752	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
3960	ppsap.exe
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
452	IEXPLORE.EXE
452	IEXPLORE.EXE
4588	ppsap.exe
4780	ppsap.exe
1876	ppsap.exe
4916	ppsap.exe
2252	ppsap.exe
208	ppsap.exe
4752	ppsap.exe
2856	ppsap.exe
8	ppsap.exe
3064	ppsap.exe
3624	ppsap.exe
1908	ppsap.exe
2896	ppsap.exe
2948	ppsap.exe
1264	ppsap.exe
452	IEXPLORE.EXE
452	IEXPLORE.EXE
5040	ppsap.exe
4784	ppsap.exe
948	ppsap.exe
3692	ppsap.exe
1464	ppsap.exe
4748	ppsap.exe
3928	ppsap.exe
1772	ppsap.exe
964	ppsap.exe
716	ppsap.exe
2656	ppsap.exe
1668	ppsap.exe
2620	ppsap.exe
4136	ppsap.exe
3652	ppsap.exe
1124	ppsap.exe
3440	ppsap.exe
3660	ppsap.exe
1664	ppsap.exe
3200	ppsap.exe
3788	ppsap.exe
1800	ppsap.exe
4336	ppsap.exe
2948	ppsap.exe
3472	ppsap.exe
4060	ppsap.exe
5084	ppsap.exe
3908	ppsap.exe
2848	ppsap.exe
5020	ppsap.exe
4296	ppsap.exe
4260	ppsap.exe
4472	ppsap.exe
4808	ppsap.exe
3992	ppsap.exe
4152	ppsap.exe
1016	ppsap.exe
2380	ppsap.exe
2720	ppsap.exe
4580	ppsap.exe
5008	ppsap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3960	2752	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe	83
PID 2752 wrote to memory of 3960	2752	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe	83
PID 2752 wrote to memory of 3960	2752	4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe	83
PID 3960 wrote to memory of 3548	3960	ppsap.exe	84
PID 3960 wrote to memory of 3548	3960	ppsap.exe	84
PID 3548 wrote to memory of 452	3548	IEXPLORE.EXE	85
PID 3548 wrote to memory of 452	3548	IEXPLORE.EXE	85
PID 3548 wrote to memory of 452	3548	IEXPLORE.EXE	85
PID 3960 wrote to memory of 4588	3960	ppsap.exe	86
PID 3960 wrote to memory of 4588	3960	ppsap.exe	86
PID 3960 wrote to memory of 4588	3960	ppsap.exe	86
PID 3960 wrote to memory of 4780	3960	ppsap.exe	87
PID 3960 wrote to memory of 4780	3960	ppsap.exe	87
PID 3960 wrote to memory of 4780	3960	ppsap.exe	87
PID 3960 wrote to memory of 1876	3960	ppsap.exe	89
PID 3960 wrote to memory of 1876	3960	ppsap.exe	89
PID 3960 wrote to memory of 1876	3960	ppsap.exe	89
PID 3960 wrote to memory of 4916	3960	ppsap.exe	90
PID 3960 wrote to memory of 4916	3960	ppsap.exe	90
PID 3960 wrote to memory of 4916	3960	ppsap.exe	90
PID 3960 wrote to memory of 2252	3960	ppsap.exe	91
PID 3960 wrote to memory of 2252	3960	ppsap.exe	91
PID 3960 wrote to memory of 2252	3960	ppsap.exe	91
PID 3960 wrote to memory of 208	3960	ppsap.exe	92
PID 3960 wrote to memory of 208	3960	ppsap.exe	92
PID 3960 wrote to memory of 208	3960	ppsap.exe	92
PID 3960 wrote to memory of 4752	3960	ppsap.exe	93
PID 3960 wrote to memory of 4752	3960	ppsap.exe	93
PID 3960 wrote to memory of 4752	3960	ppsap.exe	93
PID 3960 wrote to memory of 2856	3960	ppsap.exe	94
PID 3960 wrote to memory of 2856	3960	ppsap.exe	94
PID 3960 wrote to memory of 2856	3960	ppsap.exe	94
PID 3960 wrote to memory of 8	3960	ppsap.exe	95
PID 3960 wrote to memory of 8	3960	ppsap.exe	95
PID 3960 wrote to memory of 8	3960	ppsap.exe	95
PID 3960 wrote to memory of 3064	3960	ppsap.exe	96
PID 3960 wrote to memory of 3064	3960	ppsap.exe	96
PID 3960 wrote to memory of 3064	3960	ppsap.exe	96
PID 3960 wrote to memory of 3624	3960	ppsap.exe	97
PID 3960 wrote to memory of 3624	3960	ppsap.exe	97
PID 3960 wrote to memory of 3624	3960	ppsap.exe	97
PID 3960 wrote to memory of 1908	3960	ppsap.exe	98
PID 3960 wrote to memory of 1908	3960	ppsap.exe	98
PID 3960 wrote to memory of 1908	3960	ppsap.exe	98
PID 3960 wrote to memory of 2896	3960	ppsap.exe	99
PID 3960 wrote to memory of 2896	3960	ppsap.exe	99
PID 3960 wrote to memory of 2896	3960	ppsap.exe	99
PID 3960 wrote to memory of 2948	3960	ppsap.exe	100
PID 3960 wrote to memory of 2948	3960	ppsap.exe	100
PID 3960 wrote to memory of 2948	3960	ppsap.exe	100
PID 3960 wrote to memory of 1264	3960	ppsap.exe	101
PID 3960 wrote to memory of 1264	3960	ppsap.exe	101
PID 3960 wrote to memory of 1264	3960	ppsap.exe	101
PID 3960 wrote to memory of 5040	3960	ppsap.exe	104
PID 3960 wrote to memory of 5040	3960	ppsap.exe	104
PID 3960 wrote to memory of 5040	3960	ppsap.exe	104
PID 3960 wrote to memory of 4784	3960	ppsap.exe	109
PID 3960 wrote to memory of 4784	3960	ppsap.exe	109
PID 3960 wrote to memory of 4784	3960	ppsap.exe	109
PID 3960 wrote to memory of 948	3960	ppsap.exe	110
PID 3960 wrote to memory of 948	3960	ppsap.exe	110
PID 3960 wrote to memory of 948	3960	ppsap.exe	110
PID 3960 wrote to memory of 3692	3960	ppsap.exe	111
PID 3960 wrote to memory of 3692	3960	ppsap.exe	111

C:\Users\Admin\AppData\Local\Temp\4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe
"C:\Users\Admin\AppData\Local\Temp\4d755a10eded5fa0b078816178f9d055dfcf3e6cf3b2aa9212a40392055b78fc.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\ppsap.exe
  C:\Windows\system32\ppsap.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://shop58477515.taobao.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:452
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4588
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4780
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1876
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4916
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2252
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:208
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4752
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:8
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3624
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1908
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2948
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1264
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5040
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4784
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:948
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3692
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1464
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4748
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3928
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1772
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:716
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2656
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1668
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4136
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3652
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1124
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3440
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3660
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1664
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3200
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3788
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4336
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2948
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3472
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4060
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5084
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3908
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2848
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5020
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4296
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4260
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4472
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4808
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3992
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4152
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1016
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2380
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4580
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5008
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:3972
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:5064
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3524
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:4732
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:1308
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    PID:744
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1748
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:532
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4756
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:624
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4872
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4748
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:636
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1000
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:220
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5096
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3596
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3392
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4200
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4320
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4572
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:888
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:884
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1892
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\ppsap.exe
    C:\Windows\system32\ppsap.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
54a1b1095226978313782771a5b10c00

SHA1
48b16839c462c31035262fb8a1b27500afa08d76

SHA256
1ea0e620fb67db2a70d652123f8eb51845806c023fb99cd584b2b063a30fd790

SHA512
b6b8f8a053395bb63477d66d8bfab4f773b2f2b64e3509e127256534a24ee108f7d259d6e934131d511ff3926fc139ecf0579967520e220985efb0607392118b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
f110feb3fdb7c71f34e8c945281b1aa7

SHA1
6ce8a7ac43f84b0c0697b97b5628454d57131416

SHA256
cd1eb2b6757920c6188146f7c64524c02a9cff43e2bd41035764b3bb98abe241

SHA512
603ea1102323112795d97e0173ddab82aa5711256e4c1dfbc61a2cca08da59c5d2d495afab01462084d15cc8059569e0e00ec91c26f0c418f3ee850fcc02e8b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver79C.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UV4TX9UP\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\ppsap.exe

Filesize
48KB

MD5
3737ba529e30d839994b9c5ed8d12f74

SHA1
74aeb4d74ef1c4470cbdf2737d796e7dd4a5ba2f

SHA256
c2bbe83bd4544f9bdec1180ab56f9e0280d5e07ff24bc7aac7990f1053c1cf46

SHA512
8bb4e15f0e0512a964f3c71e1373a30ee8d0fffed58161d4cfe8d1c757eae2fcd51e6d697018d88e0829ed205ad28417aafa9585594fa58e92246139f5a8dcd1

Download Submit
memory/2752-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2752-8-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/2752-20-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads